root权限丢失
今天本来是想把root修改成别的名字 哪知道是直接创建一个用户,然后root给我删除了,啥权限都没了,user表 权限全是n,我当时连user表都给我清空了害怕冲突
|
1
|
TRUNCATE TABLE user; 清空user表数据 |
|
1
|
insertintomysql.user(Host,User,Password)values("localhost","root","****"); //插入数据
|
|
1
2
3
4
5
6
7
|
mysql> select* from user;
+-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections |+-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+| localhost | root | ***** | N | N | Y | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | N | | | | | 0 | 0 | 0 | 0 |+-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+1 row inset(0.00 sec) |
权限全部变成N了,想做啥都是报错,更新 查询 删除。。。没权限,怎么办了
首先杀死
|
1
2
3
|
killall mysqlkiall mysqld后台启动bin/mysqld_safe--user=mysql --skip-grant-table --skip-networking
|
屏蔽权限。
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
|
use mysql先开始更新还是报错 所以先修改更新权限update user setUpdate_priv ='Y'where user = 'root';
如果root 没有所有数据的权限update user setSelect_priv ='Y'where user = 'root';
update user setInsert_priv ='Y'where user = 'root';
update user setUpdate_priv ='Y'where user = 'root';
update user setDelete_priv ='Y'where user = 'root';
update user setCreate_priv ='Y'where user = 'root';
update user setDrop_priv ='Y'where user = 'root';
update user setReload_priv ='Y'where user = 'root';
update user setShutdown_priv ='Y'where user = 'root';
update user setProcess_priv ='Y'where user = 'root';
update user setFile_priv ='Y'where user = 'root';
update user setGrant_priv ='Y'where user = 'root';
update user setReferences_priv ='Y'where user = 'root';
update user setIndex_priv ='Y'where user = 'root';
update user setAlter_priv ='Y'where user = 'root';
update user setShow_db_priv ='Y'where user = 'root';
update user setSuper_priv ='Y'where user = 'root';
update user setCreate_tmp_table_priv ='Y'where user = 'root';
update user setLock_tables_priv ='Y'where user = 'root';
update user setExecute_priv ='Y'where user = 'root';
update user setRepl_slave_priv ='Y'where user = 'root';
update user setRepl_client_priv ='Y'where user = 'root';
update user setCreate_view_priv ='Y'where user = 'root';
update user setShow_view_priv ='Y'where user = 'root';
update user setCreate_routine_priv ='Y'where user = 'root';
update user setAlter_routine_priv ='Y'where user = 'root';
update user setCreate_user_priv ='Y'where user = 'root';
update user setEvent_priv ='Y'where user = 'root';
update user setTrigger_priv ='Y'where user = 'root';
|
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
|
Select_priv。确定用户是否可以通过SELECT命令选择数据。Insert_priv。确定用户是否可以通过INSERT命令插入数据。Update_priv。确定用户是否可以通过UPDATE命令修改现有数据。Delete_priv。确定用户是否可以通过DELETE命令删除现有数据。Create_priv。确定用户是否可以创建新的数据库和表。Drop_priv。确定用户是否可以删除现有数据库和表。Reload_priv。确定用户是否可以执行刷新和重新加载MySQL所用各种内部缓存的特定命令,包括日志、权限、主机、查询和表。Shutdown_priv。确定用户是否可以关闭MySQL服务器。在将此权限提供给root账户之外的任何用户时,都应当非常谨慎。Process_priv。确定用户是否可以通过SHOW PROCESSLIST命令查看其他用户的进程。File_priv。确定用户是否可以执行SELECT INTO OUTFILE和LOAD DATA INFILE命令。Grant_priv。确定用户是否可以将已经授予给该用户自己的权限再授予其他用户。例如,如果用户可以插入、选择和删除foo数据库中的信息,并且授予了GRANT权限,则该用户就可以将其任何或全部权限授予系统中的任何其他用户。References_priv。目前只是某些未来功能的占位符;现在没有作用。Index_priv。确定用户是否可以创建和删除表索引。Alter_priv。确定用户是否可以重命名和修改表结构。Show_db_priv。确定用户是否可以查看服务器上所有数据库的名字,包括用户拥有足够访问权限的数据库。可以考虑对所有用户禁用这个权限,除非有特别不可抗拒的原因。Super_priv。确定用户是否可以执行某些强大的管理功能,例如通过KILL命令删除用户进程,使用SETGLOBAL修改全局MySQL变量,执行关于复制和日志的各种命令。Create_tmp_table_priv。确定用户是否可以创建临时表。Lock_tables_priv。确定用户是否可以使用LOCK TABLES命令阻止对表的访问/修改。Execute_priv。确定用户是否可以执行存储过程。此权限只在MySQL 5.0及更高版本中有意义。Repl_slave_priv。确定用户是否可以读取用于维护复制数据库环境的二进制日志文件。此用户位于主系统中,有利于主机和客户机之间的通信。Repl_client_priv。确定用户是否可以确定复制从服务器和主服务器的位置。 |
|
1
2
3
4
5
|
setpassword for'root'@'localhost'=password('****');
GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'WITH GRANT OPTION ;
flush privileges;bye更新密码 |
|
1
2
3
|
谨慎操作delete from user where not(host="localhost"and user="root");
flush privileges; |
现在再来查看下
|
1
2
3
4
5
6
7
|
mysql> select* from user;
+-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+| Host | User | Password | Select_priv | Insert_priv | Update_priv | Delete_priv | Create_priv | Drop_priv | Reload_priv | Shutdown_priv | Process_priv | File_priv | Grant_priv | References_priv | Index_priv | Alter_priv | Show_db_priv | Super_priv | Create_tmp_table_priv | Lock_tables_priv | Execute_priv | Repl_slave_priv | Repl_client_priv | Create_view_priv | Show_view_priv | Create_routine_priv | Alter_routine_priv | Create_user_priv | Event_priv | Trigger_priv | ssl_type | ssl_cipher | x509_issuer | x509_subject | max_questions | max_updates | max_connections | max_user_connections |+-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+| localhost | root | *01540717ECF753C83ECBAD389C3CE2291FDD5BD4 | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | Y | | | | | 0 | 0 | 0 | 0 |+-----------+------+-------------------------------------------+-------------+-------------+-------------+-------------+-------------+-----------+-------------+---------------+--------------+-----------+------------+-----------------+------------+------------+--------------+------------+-----------------------+------------------+--------------+-----------------+------------------+------------------+----------------+---------------------+--------------------+------------------+------------+--------------+----------+------------+-------------+--------------+---------------+-------------+-----------------+----------------------+1 row inset(0.00 sec) |
|
1
2
3
4
5
6
7
8
|
mysql> GRANT ALL PRIVILEGES ON *.* TO 'root'@'%'WITH GRANT OPTION ;
Query OK, 0 rows affected (0.00 sec)mysql> flush privileges;Query OK, 0 rows affected (0.00 sec)mysql> grant all on *.* to 'root'@'%'identified by '****';
Query OK, 0 rows affected (0.00 sec)mysql> flush privileges;Query OK, 0 rows affected (0.00 sec) |
都可以了
mysql目录权限
|
1
2
3
|
cpsuport-files/my-medium.cnf /etc/my.cnf //修改目录权限
chownroot:mysql /etc/my.cnf
chmod644 /etc/my.cnf
|
mysql安全设置
1.禁止远程连接mysql
因为我们的mysql只需要本地的php脚本进行连接,所以我们无需开socket进行监听,那么我们完全可以关闭监听的功能。
* 配置my.cnf文件,在[mysqld]部分添加 skip-networking 参数
BLOB:
MySQL的四种BLOB类型
类型 大小(单位:字节)
TinyBlob 最大 255
Blob 最大 65K
MediumBlob 最大 16M
LongBlob 最大 4G
2.删除默认的数据库和用户
drop database test;
use mysql;
delete from db;
delete from user where not(host="localhost" and user="root");
flush privileges;
4. 本地文件安全:
提高本地安全性,主要是防止mysql对本地文件的存取
set-variable=local-infile=0
6.最小权限用户:
create database db1;
grant select,insert,update,delete,create,drop privileges on database.* to user@localhost identified by 'passwd';
7. 限制普通用户浏览其它数据库,编辑my.cnf在[mysqld]添加:
--skip-show-database
8.快速修复MySQL数据库
修复数据库
mysqlcheck -A -o -r -p
修复指定的数据库
mysqlcheck -o -r database -p
9.跟据内存的大小选择MySQL的配置文件:
my-small.cnf # > my-medium.cnf # 32M - 64M
my-large.cnf # memory = 512M
my-huge.cnf # 1G-2G
my-innodb-heavy-4G.cnf # 4GB
服务器安全总结:
1.root用户禁止使用,加深root密码
2.定期更改数据库的名字及管理员帐密
3.定期备份数据
4.关闭不需要的服务
5.创建一个User账户,运行系统
6.Nginx安全加固和优化
7.网站目录权限设置:
(1)网站上传目录和数据库目录一般需要分配“写入”权限,但一定不要分配执行权限
(2)其他目录一般只分配“读取”权限即可
8.外网只开80,其他端口没对外开放
我们从这8个方面考虑
首先是从工具自动生成加密密码,root禁用
2.定期给数据库修改密码
|
1
2
3
4
5
6
7
8
9
10
11
12
|
//进入数据库
mysql -u root -p123456//创建用户
insert into mysql.user(Host,User,Password)values(“localhost”, “abc”,password(“123“); (只添加一次)//修改密码
setpassword for'abc'@'localhost'=password('123456');
//刷新权限
flush privileges; //授权用户拥有权限center数据库所有权限(center 根据数据库名称修改)
grant all privileges on center.* to abc@localhost identified by '123456';
#刷新权限flush privileges; |
修改root账户,改变默认mysql管理员的名称这个工作是可以选择的,根据个人习惯,因为默认的mysql的管理员名称是root,所以如果能够修改的话,能够防止一些脚本小子对系统的穷举。我们可以直接修改数据库
|
1
2
|
update mysql.user setuser="abc"where user="root";
flush privileges; |
3.定期备份数据是最重要的(后面附上脚本)
4.关闭不需要的服务(脚本附上)
5.创建普通用户(脚本附上)
6.nginx加固
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
|
(这里配置文件直接在服务器部署时写入脚本里无需修改)(1).修改php.ini文件,将cgi.fix_pathinfo的值设置为0; 安全漏洞(2).彻底隐藏NGinx版本号的安全vim nginx.conf在http {—}里加上server_tokens off; 如:http {……省略sendfile on;tcp_nopush on;keepalive_timeout 60;tcp_nodelay on;server_tokens off;(3)编辑php-fpm配置文件,如fastcgi.conf或fcgi.conf(这个配置文件名也可以自定义的,根据具体文件名修改):找到:fastcgi_param SERVER_SOFTWARE nginx/$nginx_version;改为:fastcgi_param SERVER_SOFTWARE nginx;(4)重新加载nginx配置:# /etc/init.d/nginx reload |
服务器优化脚本
|
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
|
#!/bin/bash#The author:cs312779641mkdir-p /mysqlback
back=/mysqlback
#创建一个普通用户username=1234useradd $username
echo“1234” | passwd--stdin $username
#该脚本用于关闭服务器上非必须的系统服务项#定义所要停止的服务,可以根据实际服务器应用更改SERVICES="acpid atd auditd autofs avahi-daemon avahi-dnsconfd NetworkManager capi bluetooth cpuspeed cups dund firstboot haldaemon hidd ip6tables irda isdn mcstrans messagebus netfs netplugd nfslock pand pcscd portmap rawdevices restorecond xfs sendmail "
forservice in$SERVICES
do#关闭服务随系统启动chkconfig $service off#停止选择服务service $service stopdone#文件备份(实验)name=dbcd /data/
date=`date-I`;
tar-zcvf /$back/$name$date.tar.gz html
#数据库备份mysqldump --databases db -uroot -p123456 >/$back/db`date+%Y-%m-%d`.sql
#清空15天以前文件find/$back/ -mtime +15 -name "*.tar.gz"-execrm-rf {} \;
find/$back/ -mtime +15 -name "*.sql"-execrm-rf {} \;
#防火墙脚本cat> /etc/sysconfig/iptables<<EOF
# Firewall configuration written by system-config-securitylevel# Manual customization of this file is not recommended.*filter:INPUT ACCEPT [0:0]:FORWARD ACCEPT [0:0]:OUTPUT ACCEPT [0:0]:RH-Firewall-1-INPUT - [0:0]-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A INPUT -p icmp -j ACCEPT-A INPUT -i lo -j ACCEPT-A INPUT -m state --state NEW -m tcp -p tcp --dport 22 -j ACCEPT-A RH-Firewall-1-INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT-A RH-Firewall-1-INPUT -m state --state NEW -m tcp -p tcp --dport 80 -j ACCEPT-A RH-Firewall-1-INPUT -j REJECT --reject-with icmp-host-prohibitedCOMMITEOFservice iptables restart |
优化服务器,加深服务器安全,数据库也要加深安全,对运维或者安全来讲重则之重!!!
本文转自 cs312779641 51CTO博客,原文链接:http://blog.51cto.com/chenhao6/1320479